Asset-owner rule: ask for observable evidence: product name, version source, reachability, feature state, owner, business service, and remediation constraints. Do not let "probably not affected" become closure.
Asset Owner Validation Questions
Ask asset owners for proof, not guesses.
Use these questions when a vulnerability may apply but product, version, exposure, feature state, business role, or remediation constraints need owner confirmation.
Question Sets
Use the smallest set that answers the decision.
Product and version
What exact product, edition, component, package, plugin, appliance model, or service is installed? What is the version or build, and where did that value come from?
Affected scope
Which hosts, clusters, tenants, regions, containers, appliances, or business services use this product or component?
Feature state
Is the vulnerable feature, module, protocol, endpoint, plugin, or integration enabled, reachable, or used in production?
Exposure
Is the service internet-facing, reachable from partner networks, reachable only internally, authenticated, unauthenticated, or protected by access controls?
Business role
What service does this asset support, who owns it, what outage impact matters, and when is the next safe change window?
Remediation constraints
What blocks patching: compatibility, testing, vendor support, maintenance window, rollback risk, uptime requirement, or dependency ownership?
Decision Questions
Ask different questions for each action lane.
Patch now
Can you confirm affected version, exposure, owner, fixed version, test path, rollback path, and maintenance window by [date]?
Mitigate first
Can you restrict access, disable the vulnerable feature, isolate the service, or apply a vendor workaround while patch planning continues?
Not affected
What evidence proves the product, version, feature, platform, or exposure path does not apply to this asset group?
Exception
If patching is blocked, who accepts residual risk, which controls reduce exposure, and when does the decision expire?
Detection handoff
Which logs, owners, telemetry sources, or application behaviors can SOC use to validate attempts or control failure?
Vendor clarification
What product/version/deployment facts should we include in the vendor support case so the answer is actionable?
Copy Template
Asset owner validation request
Asset owner validation request - [CVE/advisory] We need to confirm whether [product/component] on [asset group/service] is affected. Please provide: 1. Exact product/component/edition/package/appliance/service name. 2. Installed version/build and evidence source. 3. Whether the vulnerable feature/path/protocol is enabled or reachable. 4. Exposure context: internet-facing, internal, authenticated, restricted, segmented. 5. Business service and outage/change-window constraints. 6. Current patch, workaround, or mitigation status. 7. Evidence for not-affected, fixed, mitigated, or exception status. Decision needed: [patch/mitigate/monitor/not affected/exception/vendor escalation]. Needed by: [date/time]. Caveat: without this evidence, we should keep the item in validation rather than close or escalate it.
Quality Checks
A useful answer can be reviewed later.
Source named
The owner says where the version, exposure, feature state, or business impact came from.
Scope bounded
The answer identifies the fleet, service, tenant, cluster, or asset group it covers and what remains unknown.
Evidence attached
Inventory, screenshots, package output, console state, scan result, owner attestation, or change record supports the answer.
Next action clear
The response moves the item to patch, mitigate, monitor, not affected, exception, vendor escalation, or continued validation.
Recommended next move: send the validation request, record the answer as evidence, then move the item into the correct action lane.